Search Postgresql Archives

Re: SQL injection, php and queueing multiple statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Is there a switch (php side or pg side) to avoid things like:
> 
> pg_query("select id from table1 where a=$i");
> 
> into becoming
> 
> pg_query("select id from table1 where a=1 and 1=1; do something
> nasty; -- ");

Ideally, you'd use this:

pg_query_params('select id from table1 where a=$1', array($i));

http://us2.php.net/manual/en/function.pg-query-params.php

Alternately, you can do this:

$i = pg_escape_string($i);
pg_query(" select id from table1 where a='$i' ");
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux